From 1514c44655e12e93e453bbc9e1934cf6d30d3817 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 20 Apr 2018 16:32:46 +0200 Subject: [PATCH] http2: avoid strstr() on data not zero terminated It's not strictly clear if the API contract allows us to call strstr() on a string that isn't zero terminated even when we know it will find the substring, and clang's ASAN check dislikes us for it. Also added a check of the return code in case it fails, even if I can't think of a situation how that can trigger. Detected by OSS-Fuzz Closes #2513 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760 --- lib/http2.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/http2.c b/lib/http2.c index e60ae247b..077c03e6f 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -1851,8 +1851,11 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, return -1; } - /* Extract :method, :path from request line */ - line_end = strstr(hdbuf, "\r\n"); + /* Extract :method, :path from request line + We do line endings with CRLF so checking for CR is enough */ + line_end = memchr(hdbuf, '\r', len); + if(!line_end) + goto fail; /* Method does not contain spaces */ end = memchr(hdbuf, ' ', line_end - hdbuf);